# ============================================
# Fail2Ban入侵防护系统配置文件
# ============================================
# 本文件由Ansible自动生成 - 请勿手动编辑
# Fail2Ban通过监控日志文件来检测恶意行为并自动封禁IP地址

[DEFAULT]
# ============================================
# 全局默认配置
# ============================================

# 封禁时间（秒）- IP被封禁的持续时间
bantime = {{ security_fail2ban_config.bantime }}

# 覆盖默认的firewalld配置，使用iptables进行封禁
banaction = iptables-multiport

# 查找时间窗口（秒）- 在此时间内达到最大重试次数将被封禁
findtime = {{ security_fail2ban_config.findtime }}

# 最大重试次数 - 在查找时间内失败次数达到此值将被封禁
maxretry = {{ security_fail2ban_config.maxretry }}

# ============================================
# 邮件通知配置
# ============================================

# 目标邮箱地址 - 用于接收封禁通知邮件
destemail = root@localhost

# 发送者邮箱地址 - 用于发送通知邮件
sender = root@localhost

# 邮件传输代理 - 从0.8.1版本开始Fail2Ban使用sendmail发送邮件
mta = sendmail

# ============================================
# 网络和防火墙配置
# ============================================

# 默认协议类型
protocol = tcp

# iptables链名称 - 指定在哪个链中添加封禁规则
chain = INPUT

# 默认端口范围 - 通常在具体的监狱中会被覆盖
port = 0:65535

# ============================================
# 动作配置快捷方式
# ============================================

# 最简单的动作：仅封禁IP
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# 封禁IP并发送包含whois信息的邮件通知
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# 封禁IP并发送包含whois信息和相关日志行的邮件通知
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# 封禁IP并向IP地址的滥用联系人发送XARF格式的邮件
# 参见action.d/xarf-login-attack中的重要说明
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

# 选择默认动作 - 可以通过覆盖'action'值来改变
# 可以在全局[DEFAULT]部分或特定部分中设置
action = %(action_)s

# ============================================
# 监狱配置（从变量中动态生成）
# ============================================

{% for jail in security_fail2ban_config.jails %}
# {{ jail.name }}监狱配置
[{{ jail.name }}]
enabled = {{ jail.enabled | lower }}    # 是否启用此监狱
port = {{ jail.port }}                  # 监控的端口
filter = {{ jail.filter }}              # 使用的过滤器
logpath = {{ jail.logpath }}            # 监控的日志文件路径
{% if jail.maxretry is defined %}
maxretry = {{ jail.maxretry }}          # 自定义最大重试次数
{% endif %}
{% if jail.bantime is defined %}
bantime = {{ jail.bantime }}            # 自定义封禁时间
{% endif %}
{% if jail.findtime is defined %}
findtime = {{ jail.findtime }}          # 自定义查找时间窗口
{% endif %}

{% endfor %}

# ============================================
# 额外的自定义监狱配置
# ============================================

# Apache HTTP认证失败监狱
[apache-auth]
enabled = false                          # 默认禁用，需要时可启用
port = http,https                        # 监控HTTP和HTTPS端口
filter = apache-auth                     # 使用apache-auth过滤器
logpath = /var/log/httpd/error_log       # Apache错误日志路径
maxretry = 6                             # 允许6次失败尝试

# Apache恶意机器人监狱
[apache-badbots]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = apache-badbots                  # 检测恶意爬虫和机器人
logpath = /var/log/httpd/access_log      # Apache访问日志路径
bantime = 172800                         # 封禁48小时（172800秒）
maxretry = 1                             # 仅允许1次恶意行为

# Apache脚本注入攻击监狱
[apache-noscript]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = apache-noscript                 # 检测脚本注入攻击
logpath = /var/log/httpd/error_log       # Apache错误日志路径
maxretry = 6                             # 允许6次失败尝试

# Apache缓冲区溢出攻击监狱
[apache-overflows]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = apache-overflows                # 检测缓冲区溢出攻击
logpath = /var/log/httpd/error_log       # Apache错误日志路径
maxretry = 2                             # 仅允许2次攻击尝试

# Apache主目录访问攻击监狱
[apache-nohome]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = apache-nohome                   # 检测对不存在主目录的访问
logpath = /var/log/httpd/error_log       # Apache错误日志路径
maxretry = 2                             # 仅允许2次失败尝试

# Nginx HTTP认证失败监狱
[nginx-http-auth]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = nginx-http-auth                 # 检测Nginx HTTP认证失败
logpath = /var/log/nginx/error.log       # Nginx错误日志路径

# Nginx请求限制监狱
[nginx-limit-req]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = nginx-limit-req                 # 检测超出请求限制的行为
logpath = /var/log/nginx/error.log       # Nginx错误日志路径

# PHP URL fopen攻击监狱
[php-url-fopen]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = php-url-fopen                   # 检测PHP URL fopen攻击
logpath = /var/log/nginx/access.log      # Nginx访问日志路径

# Suhosin PHP安全扩展监狱
[suhosin]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = suhosin                         # 检测Suhosin安全事件
logpath = /var/log/lighttpd/error.log    # Lighttpd错误日志路径

# Lighttpd认证失败监狱
[lighttpd-auth]
enabled = false                          # 默认禁用
port = http,https                        # 监控HTTP和HTTPS端口
filter = lighttpd-auth                   # 检测Lighttpd认证失败
logpath = /var/log/lighttpd/error.log    # Lighttpd错误日志路径